Talos Vulnerability Report

TALOS-2017-0296

March 9, 2017

CVE Number

CVE-2017-2485

Summary

An exploitable use-after-free vulnerability exists in the x509 certificate validation functionality in Apple macOS Sierra (10.12.3 release and 10.12.4 public beta versions) and iOS 10.2.1. A specially crafted x509 certificate can trigger a use-after-free vulnerability potentially resulting in remote code execution. In order to trigger this vulnerability the victim needs to visit a HTTPS website or other server which serves a malicios certificate or click on a file.

Tested Versions

Apple macOS 10.12.3
Apple macOS 10.12.4 beta
Apple iOS 10.2.1

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

When a client establishes a secure connection to a server, the server presents an x509 certificate which the client must validate.On Apple macOS, most client applications will use macOS's certificate validation agent, at which point the malicious certificate will be parsed by the vulnerable code. This vulnerability can be triggered by, for example, visiting a HTTPS website with either Safari or Chrome, by connecting to a malicious mail server via Mail.app, or by simply importing the certificate by double clicking on it in finder.

The vulnerability exists in code responsible for parsing nameConstraints x509v3 certificate extension fields. In x509 certificate, nameConstraints are stored as general subtrees (RFC 5280) and while parsing them, the function parseGeneralSubtrees in library /System/Library/Frameworks/Security.framework/Versions/A/Security gets called:

At [1], DER sequence decoding is started, and a new memory buffer is allocated at [2] and saved in register r15. At [3], actual decoding is performed which, if failed, ends up at loc_971A8 and then at [4], a pointer to allocated memory is saved in [rbx] which points inside a structure allocated for this certificate. Because the call at [3] has failed, the check at [4] won't succseed and the memory buffer gets freed at once at [5]. This is a first free and a stale pointer is left at [rbx]. Since this pointer is not NULL, it can later be reused, leading to process crash and further undefined behaviour. With the supplied PoC certificate, the process will again attempt to free the already freed memory area while freeing all certificate parsing related structures when calling SecuritySecCertificateDestroy`.

If we consult open source code from Apple regarding DER parsing functions, we can see that DERDecodeSeqNext will return 3 on decoding error (DR_DecodeError enum to be precise), so in order to trigger this vulnerability, a specially crafted x509 certificate with invalid nameConstraints is needed.

Further manipulation of the certificate layout in memory can lead to other structures being allocated at the freed chunk, leading to further undefined behaviour and eventual remote code execution.

When a simple PoC crashing certificate file is double clicked in Finder, it gets added to keychain which crashes when trying to parse it. This will keep crashing com.apple.trustd agent in a loop, effectively rendering the system unusable and unable to connect to any SSL/TLS server.